[email protected]

Aliases: [email protected], W32/[email protected]
Variants: Email-Worm.Win32.Small.a

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 30 Apr 2006
Damage: Low

Characteristics: This specific computer system threat is identified in most reports as a type of mass mailing Worm. The [email protected] has been observed to take advantage of certain vulnerabilities found in Instant Messaging clients allowing it to use the application as a transport mechanism. The Worm would normally harvest the contents of the computer user's contact list and attempts to send its codes directly to these remote machines.

More details about [email protected]

On the initial execution of the [email protected] malware, it will attempt to drop an executable file into the root directory of the target computer system. Some reports indicate that the newly created file may carry a hidden attribute to protect it from being deleted by the computer user. This routine is contrary to the common practice of other Worn variants that normally attack the directory folder of the operating system and use it as a storage location. After successfully writing its executable file the [email protected] will proceed to append a key value for its EXE format file in the Windows Registry. The [email protected] Worm will also use the Windows Registry to attain automatic startup status allowing it to be loaded simultaneously with the operating system.

When the [email protected] successfully installs itself into the compromised computer system it will immediately attempt to collect all user names in the contact list of the Instant Messaging application. The [email protected] will use these names as the basis for the sending of spiked email messages. The malware will normally append the domain associated with the Instant Messaging client to complete the email address of the recipient. The subject line would normally state that the attachment is an important program upload. The [email protected] will always include an executable file attachment to every email message sent out.